United States Patent [19]
`Shwed
`
`llllllIlllllll|||llllllllllllllllllllll||llllllllllllllllllllllllllllllllll
`5,606,668
`Feb. 25, 1997
`
`
`606668A USOOS
`[11] Patent Number:
`[45] Date of Patent:
`
`[54] SYSTEM FOR SECURING INBOUND AND
`OUTBOUND DATA PACKET FLOW IN A
`COMPUTER NETWORK
`
`[75] Inventor: Gil Shwed, Jerusalem, Israel
`
`[73] Assignee: Checkpoint Software Technologies
`Ltd., Jerusalem, Israel
`
`[21] Appl. No.: 168,041
`[22] Filed:
`Dec. 15, 1993
`
`[51] Int. Cl.6 ......................... .. G06F 13/36; G06F 15/401
`[52] US. Cl. ........
`...................... .. 395/200.11; 395/2001;
`395/836; 395/186; 395/187.01; 380/42
`[58] Field of Search .......................... .. 395/200.0l, 2001,
`395/200.ll, 835, 836, 186, 726, 187.01;
`380/42
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,315,315
`4,736,320
`5,247,693
`
`364/300
`2/1982 Kossiakolf
`364/300
`4/1988 Bristol .... ..
`9/1993 Bristol ................................... .. 395/800
`
`OTHER PUBLICATIONS
`
`“A Software Design and Implementation for Filtering, For
`warding and Ciphering in a Secure Bridge”, Soriano et al,
`IEEE, 1992, pp. 487492.
`“A Network Firewall”, Marcus J. Ranum, Digital Equipment
`Corporation.
`
`“Network (In) Security Through IP Packet Filtering”, D.
`Brent Chapman, Proceedings of the Third UNSENIX UNIX
`Security Symposium; Baltimore, MD, Sep. 1992.
`“The TAMU Security Package: An Ongoing Response to
`Internet Intruders in an Academic Environment”, David R.
`Sa?ord, Douglas Lee Schales, David K. Hess, UNIX Secu
`rity Symposium IV, Oct. 4—6, 1993.
`“The Design of a Secure Internet Gateway”, Bill Cheswick,
`AT&T Bell Laboratories, Jun. 1990.
`“An Internet Gatekeeper”, Herve Schauer, Christophe Wolf
`hugel, Herve Schauer Consultants.
`
`Primary Examiner—-Thomas C. Lee
`Assistant Examiner—Rehana Perveen Krick
`Attorney, Agent, or Firm—-Ladas & Parry
`
`ABSTRACT
`[57]
`A ?lter module allows controlling network security by
`specifying security rules for traf?c in the network and
`accepting or dropping communication packets according to
`these security rules. A set of security rules are de?ned in a
`high level form and are translated into a packet ?lter code.
`The packet ?lter code is loaded into packet ?lter modules
`located in strategic points in the network. Each packet
`transmitted or received at these locations is inspected by
`performing the instructions in the packet ?lter code. The
`result of the packet ?lter code operation decides whether to
`accept (pass) or reject (drop) the packet, disallowing the
`communication attempt.
`
`12 Claims, 18 Drawing Sheets
`
`5
`
`5
`:
`l
`E
`l
`
`
`
`1011 . REMOTE SITE
`
`I
`l
`I
`
`I
`I
`I
`
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`l
`
`I
`I
`I
`I
`I
`l
`
`212
`
`206
`
`,
`
`E
`
`c’: 5
`PACKET E
`FILTER
`5
`A ,
`;
`203/
`5
`
`204 t
`
`5
`
`CONTROL
`MODULE
`
`204
`
`204i
`
`
`
`104 122
`
`
`
`104 124 fj124§
`
`we
`
`W15 5
`
`O PACKET FILTER MODULE
`. ROUTER PROGRAMMING SCRIPT
`
`Google Ex. 1110, pg. 1
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 1 of 18
`
`5,606,668
`
`108
`106
`r/ r/
`
`SYS. ADMIN.
`
`ROUTER
`
`110
`\ ROUTER
`
`112
`
`MS
`
`\
`104 104
`
`r_______....______....___
`
`GNV
`
`FIG.1
`
`Google Ex. 1110, pg. 2
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 2 0f 18
`
`5,606,668
`
`Q
`CONTROL
`PACKET
`MODULE
`FILTER
`A r
`204 /T 208/
`
`r
`
`112
`
`INTERNET
`
`I
`l
`I
`l
`l
`I
`l
`l
`l
`l
`l
`I
`I
`I
`I
`I
`I
`I
`I
`l
`I
`I
`|
`|
`|
`I
`l
`I
`I
`I
`I
`I
`I
`l
`I
`l
`I
`I
`I
`I
`I
`l
`I
`l
`|
`l
`l
`l
`I
`___..____________-----..--__-_-'-.._-___-____..__-__..___J
`
`
`
`204i 104
`
`
`
`I 204i 104
`
`O PACKET FILTER MODULE
`' ROUTER PROGRAMMING SCRIPT
`
`FIG.2
`
`Google Ex. 1110, pg. 3
`
`

`
`U.S. Patent
`
`Feb. 25, 1997
`
`Sheet 3 of 18
`
`5,606,668
`
`...,4<_moS»
`
`\IInIIIIiaIll
`
`.95m..,=uSczEE$25.58__.z8.=§=sm.§@25:58
`
`
`_B.Ess.E8_mafia\Emma\3.":_8.=85ma;SamW
`
`V...
`
`M...
`
` W
`
`<m.0_n_mom
`
`Google Ex. 1110, pg. 4
`
`Ezd»25¢v_._<._.
`
`Tam1....
`
`ompmamh
`
`mm__E<n_
`
`m_oz<z_u_
`
`
`
` .:<_2@mmo:/mmmZOE.<ZE.mmQ
`
`wmm>mmm
`
`
`
`.mm_>>m_>03W.>>m_>sm:.m>wwmo_>mm_mQn
`
`
`
`
`
`
`
`
`
`me/éommoo”MO(EQmmm<mmhamTq.H<>9BE
`
`
`
`
`
`
`
`_,.,n..$_.Em_.._.%m_,.,w....,.m._..._..__.3,.m..y.w.m.m._§.9._,mmimHam...,.(.u._..:n_
`
`\I:IIIIIIIxII\un:IaIIIIu:I\onuIIInAIIII
`
`Google Ex. 1110, pg. 4
`
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 4 of 18
`
`5,606,668
`
`FIRE WALL-1 NETWORK OBJECT MANAGER
`
`VIEW BY TYPES: ['IN'TEE'NXL
`HOST
`NET
`
`f'i'i'ifé'Fi?kL
`ROUTER
`
`GATEWAY
`
`DOMAIN ,?GROUP
`
`.BRM.CO.LL
`
`g CEO
`304 \ g CFO
`gxg FINANCE
`
`I
`
`|
`I
`
`[
`
`l
`l
`
`,_'\"_A'l—T_?Q'-_j @ TRUSTED PARTIES
`.r
`1 g
`
`E:
`
`gwff; LOCALNET
`
`@
`
`f
`;
`
`J,
`
`l
`
`l
`
`"""""""""""""""""""""""""""""""" '
`
`L_ _ f"! _ .J
`
`DELETE SELECTED OBJECTS ‘)
`
`_ _ _ . _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ -a
`
`CREATE NEW OBJECTS Vi,"
`
`MAIL SERVERS
`
`COPYRIGHT ©1993 GHEOKPOINT SOFTWARE TECHNOLOGIES LTD.
`
`FIG.3B
`
`Google Ex. 1110, pg. 5
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 5 of 18
`
`5,606,668
`
`FIRE WALL-1 SERVICES MANAGER
`
`VIEW BY TYPES:
`
`‘
`
`.
`
`TCP
`
`RPC
`
`.
`
`GROUP
`
`XTERM
`
`UDP
`
`OTHER
`
`TCP
`
`x11
`
`7
`\J‘ AUTH__TELNET
`UDP
`BLFF
`>306 \ ‘—
`UDp
`4-
`
`DAYTIME
`
`To; DISCARD
`‘—
`UDP’
`<—
`
`ECHO
`
`TCP
`
`EXEC
`
`TOP
`
`FINGER
`
`l
`;--__;
`;
`1
`5
`;
`:""I
`: N I
`
`"
`
`:
`5
`:
`
`5
`
`i
`
`
`
`
`
`FTP TCP PEEEIE§ELEQIERPE4EQT§-IP
`
`F‘ " " _ _ '1
`
`l
`1
`l
`l
`:
`I
`l_ M5815 _l
`
`9BEATEEYY95§EQI§§LJ
`
`.................... -
`
`~\
`
`cormmm @1993 cmamom'r som‘wm: TECHNOLOGIES LTD.
`
`FIG. 3C
`
`Google Ex. 1110, pg. 6
`
`

`
`U.S. Patent
`
`Feb. 25, 1997
`
`Sheet 6 of 18
`
`5,606,668
`
`
`
`
`
`35>mD,~<emEmemwmTw5<>>mma
`
`
`
`
`
`NENHSm:<on5._.w<._
`
`
`
`_,mmzo:om:mmm<m:o..._._<5m._mm
`/.....................
`
`
`
`.atom?”>>Oz
`
`\IIIIIIIIIIII
`
`\u::IuII1IInl
`
`\IIIIIII1IIII
`
`._.._D<n_m_D
`
`
`
`
`
` %®méom:kr
`
`
`
`.95..§¢S=z_aE_£2338azaesasm$@,:__2:E8
`
`om.w_n_
`
`mom
`
`Google Ex. 1110, pg. 7
`
`Google Ex. 1110, pg. 7
`
`
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 7 of 18
`
`5,606,668
`
`400 \
`
`402
`
`404
`
`GET FIRST RULE
`
`406 \
`
`GENERATE CODE
`TO MATCH RULE
`SOURCE
`NETWORK OBJECTS
`
`408 \
`
`GENERATE CODE
`TO MATCH RULE
`DESTINATION
`NETWORK OBJECTS
`
`GET NEXT
`RULE
`
`\ 416
`
`GENERATE CODE
`TO MATCH RULE
`SERVICES
`
`GENERATE CODE TO ACCEPT
`OR REJECT THE PACKET
`IF 406,408,410 WERE
`MATCHED
`
`YES
`
`MORE RULES
`
`FIG.4
`
`Google Ex. 1110, pg. 8
`
`

`
`U.S. Patent
`
`Feb. 25, 1997
`
`Sheet 8 of 18
`
`5,606,668
`
`500
`
`R
`
`nG
`
`642O864Mmu.mMmWw
`
`EW
`
`MNTNWmmmKKm_IMPRWC.MCS0LFWEHCINAlN_..HMEMmW_WMTN.Dc07.4.321.
`
`WKT"m_MEuDNWCNERm0NSEWDE"%TEWEH_RCU.HTTATRNO.ANEPMEHmmNw_mAT5_CPR,Mm___MUGUmu4.3H5
`
`FlG.5
`
`Google Ex. 1110, pg. 9
`
`Google Ex. 1110, pg. 9
`
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 9 of 18
`
`5,606,668
`
`600
`
`\
`
`602
`( 1.PACKETRECE|VED )/
`I
`f
`2. GET FILTER OPERATIONS
`
`604
`
`v
`3. INITIALIZE MEMORY
`
`606
`f
`
`4. GET FIRST VIRTUAL MACHINE OPERATION
`
`f 608 I
`I
`610 |
`
`5. PERFORM VIRTUAL MACHINE OPERATION
`I>\
`\
`
`613
`7. GET NEXT OPERATION /
`
`“
`
`612
`
`614
`
`\
`\
`
`NO
`
`6. REACHED
`STOP STATE?
`
`I
`|
`I
`
`I
`I
`
`618
`
`616
`
`YES, PASS THE PACKET
`
`NO, DROP THE PACKET
`
`FIG-.6
`
`Google Ex. 1110, pg. 10
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 10 of 18
`
`5,606,668
`
`610
`5.PERFORM VIRTUAL f
`MACHINE OPERATION
`
`702
`
`704
`
`R \
`DATA
`EXTRACTION
`
`\ 613
`
`f r
`U
`
`LOGICAL
`OPERATION
`
`706
`COMPAR'SON //
`
`fr
`JI
`
`614
`
`6. REACHED
`STOP STATE '?
`
`F|G.7
`
`Google Ex. 1110, pg. 11
`
`

`
`U.S. Patent
`
`Feb. 25, 1997
`
`Sheet 11 of 18
`
`5,606,668
`
`DATA EXTRACTIDN
`
`702
`
`\
`
`806
`
`802
`
`804
`
`START
`
`PACKET
`
`EXTRACT DATA
`FROM PACKET
`
`808
`
`\ PUT DATA
`INTO MEMORY
`
`812
`
`END
`
`810
`
`MEMORY
`STACK
`
`Google Ex. 1110, pg. 12
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 12 of 18
`
`5,606,668
`
`704
`
`LOGICAL OPERATION
`
`902
`
`904
`
`START
`
`GET FIRST VALUE
`FROM MEMORY
`
`1
`
`GET SECOND VALUE
`FROM MEMORY 4
`
`908
`
`906
`
`MEMORY
`STACK
`
`914
`
`FALSE
`
`PERFORM
`LOGICAL
`OPERATION
`
`TRUE
`
`912
`
`PUT 0
`IN MEMORY
`
`916
`
`PUT 1
`IN MEMORY
`
`END
`
`Google Ex. 1110, pg. 13
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 13 of 18'
`
`5,606,668
`
`COMPARISON OPERATION
`706 \
`
`1002
`
`1004
`
`START
`
`GET FIRST VALUE
`FROM MEMORY
`
`1008
`
`GET SECOND VALUE
`FROM MEMORY
`
`1006
`
`MEMORY
`STACK
`
`1012
`
`[J
`
`Jr
`PUT 1
`IN MEMORY
`
`1010
`
`‘
`
`1014
`
`COMPARE
`
`VALUES
`
`PUT 0
`IN MEMORY
`
`1016
`
`END
`
`FIG.10
`
`Google Ex. 1110, pg. 14
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 14 0f 18
`
`5,606,668
`
`ENTERING A LITERAL VALUE TO MEMORY
`
`1104
`
`K/
`
`MEMORY
`STACK
`
`“02
`
`1106
`
`START
`
`GET LITERAL VALUE
`FROM CODE
`
`1
`1108
`\ PUT VALUE
`INTO MEMORY
`
`1110
`
`END
`
`F|G.11
`
`Google Ex. 1110, pg. 15
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 15 of 18
`
`5,606,668
`
`CONDITIONAL BRANCH OPERATION
`
`1202
`
`1204
`
`BRANCH
`CONDITION
`
`TRUE
`
`1206
`
`MEMORY
`STACK
`
`GET VALUE
`FROM MEMORY
`
`STACK /
`
`1208
`
`FALSE
`
`1214
`
`SET NEXT STEP
`TO N
`
`‘k
`
`END
`
`1216
`
`F l G. 12
`
`Google Ex. 1110, pg. 16
`
`

`
`U.S. Patent
`
`Feb. 25, 1997
`
`Sheet 16 of 18
`
`5,606,668
`
`ARITHMETIC AND BITWISE OPERATION
`
`START
`
`1302
`
`1304\
`
`GET FIRST VALUE
`FROM MEMORY
`
`1306
`
`l i
`1308
`\ GET SECOND VALUE
`FROM MEMORY
`
`131
`PERFORM
`O\ ARiTHMETlC OR
`BI'IWISE
`OPERATION
`
`l
`
`l
`
`PUT RESULT
`IN MEMORY
`
`1312f
`
`END
`
`1314
`
`FIG.13
`
`Google Ex. 1110, pg. 17
`
`

`
`US. Patent
`
`Feb. 25, 1997
`
`Sheet 17 of 18
`
`5,606,668
`
`1402
`
`f 1406
`
`MEMORY
`
`1404
`
`f
`% A
`
`GET VALUES
`FROM MEMORY
`
`1410
`\
`
`TABLE1
`
`-
`
`TABLE 2
`
`TABLE 3 \
`SEARCH THE VALUES
`IN THE REFERRED
`1408
`\ TABLE -
`
`1416
`
`IS THE VALUE
`IN THE TABLE
`?
`
`1414
`
`PUT 1
`IN MEMORY
`I
`
`PUT 0
`IN MEMORY
`I
`
`1418
`
`FIG.14
`
`Google Ex. 1110, pg. 18
`
`

`
`U.S. Patent
`
`Feb. 25, 1997
`
`Sheet 18 of 18
`
`5,606,668
`
`1510
`\
`
`TABLE1
`
`TABLE 2
`
`TABLE 3
`
`1502
`
`f 1506
`
`MEMORY
`
`1504
`f
`W/ A
`
`GET VALUES
`FROM MEMORY
`
`\\ v
`
`1508
`
`PUT VALUES
`IN THE REFERRED
`\ TABLE
`
`1516
`
`YES
`
`\
`
`PUT 1
`IN MEMORY
`
`SUCCEEDED
`
`?
`
`NO
`A
`
`1514
`
`/
`
`PUT 0
`IN MEMORY
`
`2 1518
`
`FIG.15
`
`Google Ex. 1110, pg. 19
`
`

`
`5,606,668
`
`1
`SYSTEM FOR SECURING INBOUND AND
`OUTBOUND DATA PACKET FLOW IN A
`COMPUTER NETWORK
`
`BACKGROUND OF THE INVENTION
`
`This application relates, in general, to a method for
`controlling computer network security. More speci?cally it
`relates to an easily alterable or expandable method for
`computer network security which controls information ?ow
`on the network from/to external and internal destinations.
`Connectivity and security are two con?icting objectives in
`the computing environment of most organizations. The
`typical modern computing system is built around network
`communications, supplying transparent access to a multi
`tude of services. The global availability of these services is
`perhaps the single most important feature of modem com
`puting solutions. Demand for connectivity comes both from
`within organizations and from outside them.
`Protecting network services from unauthorized usage is of
`paramount importance to any organization. UNIX worksta
`tions, for example, once connected to the Internet, will offer
`all the services which it offers another station on the next
`table to the entire world. Using current technology, an
`organization must give up much of its connectivity in order
`to prevent vulnerability, even to the extent of eliminating all
`connections to the outside world or other sites.
`As the need for increased security grows, the means of
`controlling access to network resources has become an
`administrative priority. In order to save cost and maintain
`productivity, access control must be simple to con?gure and
`transparent to users and applications. The minimization of
`setup costs and down time are also important factors.
`Packet ?ltering is a method which allows connectivity yet
`provides security by controlling the tra?ic being passed, thus
`preventing illegal communication attempts, both within
`single networks and between connected networks.
`Current implementation of packet ?ltering allows speci
`?cation of access list tables according to a ?xed format. This
`method is limited in its ?exibility to express a given orga
`nization’s security policy. It is also limited to the set of
`protocols and services de?ned in that particular table. This
`method does not allow the introduction of different protocols
`or services which are not speci?ed in the original table.
`Another method of implementing packet ?ltering is tai
`loring the computer operating system code manually in
`every strategic point in the organization. This method is
`limited by its ?exibility to future changes in network topol
`ogy, new protocols, enhanced services and to future security
`threats. It requires a large amount of work by experts
`modifying proprietary computer programs, making it insuf~
`?cient and expensive to setup and maintain.
`
`20
`
`25
`
`35
`
`40
`
`50
`
`55
`
`SUMMARY OF THE INVENTION
`
`It is a general object of the present invention to produce
`a ?exible, easily-alterable security method which controls
`infonnation ?ow on a computer network.
`Another object of the invention is to control information
`?ow on the network from/to internal as well as external
`destinations.
`A further object of the invention is to control information
`?ow by means of a packet ?lter capable of examining every
`packet of information ?owing past a node in the system.
`
`2
`A still further object of the invention is to provide a
`generic packet ?lter module which is controlled by a set of
`instructions to implement a given security policy at a node
`to accept (pass) or reject (drop) the packet.
`Yet another object of the invention is to provide a security
`method for a computer network which is easily alterable by
`the system administrator without the need to change the
`nature of the packet ?lter itself or to write extensive code.
`These and other objects, features and advantages are
`provided by a method of operating a computer network, in
`which data is passed in said network as data packets, for
`controlling the passage of said data packets in the network
`according to a security rule, the method comprising the steps
`of generating, in at least one computer in the network, a
`de?nition of each aspect of the network controlled by a
`security rule; generating said security mle, in said computer,
`in terms of said aspect de?nitions, for controlling at least one
`of said aspects; converting said security mle into a set of
`?lter language instructions for controlling operation of a
`packet ?ltering module which controls passage of said data
`packet; providing a packet ?lter module in at least one of
`network entity to control the passage of data packets in
`accordance with said rule, said module emulating said
`packet ?ltering module; said module reading and executing
`said instructions for operating said packet ?ltering module
`virtual machine to either accept or reject the passage of said
`packet in said network.
`Another aspect of the invention includes a security system
`for a computer network in which data is passed in said
`network as data packets, said system controlling the passage
`of said data packets in the network according to a security
`rule, where each aspect of said network controlled by said
`security rule has been de?ned, said security rule has been
`de?ned in terms of said aspects and converted into a ?lter
`language instructions, a method for operating the system
`comprising the steps of providing a packet ?lter module in
`at least one entity of the network to be controlled by said
`security rule, said module emulating a packet ?ltering mod
`ule which controls passage of said data packet; said module
`reading and executing said instructions for operating said
`packet ?ltering module to either accept or reject the passage
`of said packet in said network.
`A further aspect of the invention comprises a security
`system for a computer network in which data is placed in
`said network as data packets, said system controlling pas
`sage of said data packets in the network according to a
`security mle, where each aspect of said network controlled
`by said security mle has been de?ned, said security mle has
`been de?ned in terms of said aspects and converted into a
`?lter language instructions, a method for operating the
`system comprising the steps of providing a packet ?lter
`module in at least one entity of the network to be controlled
`by said security rule, said module emulating a packet
`?ltering module which controls passage of said data packet;
`said module reading said executing instructions for a packet
`?ltering operation; storing the results in a storage device;
`said module reading and executing instructions and utilizing
`said stored results for operating said packet ?lter module to
`accept or reject the passage of said packet in said network.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`65
`
`FIG. 1 is an example of a network topology;
`FIG. 2 shows a security system of the present invention
`applied to the network topology of FIG. 1;
`FIG. 3 shows the computer screen of the network admin
`istrator of FIG. 2 in greater detail;
`
`Google Ex. 1110, pg. 20
`
`

`
`5,606,668
`
`3
`
`FIG. 4 is a flow diagram of the subsystem for converting
`graphical information to filter script;
`FIG. 5 is a flow diagram of an information flow on a
`computer network employing the present invention;
`
`FIG. 6 is a flow diagram of the operation of the packet
`filter shown in FIG. 5;
`FIG. 7 is a flow diagram showing the virtual machine
`operations shown in FIG. 6;
`
`FIG. 8 is a flow diagram of the data extraction method of 10
`FIG. 7;
`
`FIG. 9 is a flow diagram of the logical operation method
`of FIG. 7;
`
`FIG. 10 is a flow diagram of the comparison operation
`method of FIG. 7;
`
`FIG. 11 is a flow diagram of the method of entering a
`literal value to memory;
`
`FIG. 12 is a flow diagram of a conditional branch opera-
`tron;
`
`FIG. 13 is a flow diagram of an arithmetic and bitwise
`operation;
`
`FIG. 14 is a flow diagram of a lookup operation; and
`FIG. 15 is a flow diagram of a record operation.
`DETAILED DESCRIPTION
`
`Referring now to FIG. 1, an example network topology is
`shown. In this example, the main site 100 contains a system
`administrator function embodied in workstation 102. This
`workstation is coupled to the network which includes work-
`stations 104, router 110 and gateway 106. Router 110 is
`coupled via satellite 112 to a remote site via gateway 122.
`Gateway 106 is coupled via router 108 to the Internet. The
`remote site 120 comprises workstations 124 which are
`coupled to the network and via gateway 122 to the Internet.
`The particular configuration shown herein is chosen as an
`example only and is not limitive of the type of network on
`which the present invention can work. The number configu-
`rations that networks can take are virtually limitless and
`techniques for setting up these configurations are well
`known to those skilled in the art. The present invention can
`operate on any of these possible configurations.
`FIG. 2 shows the network of FIG. 1 in which the present
`invention has been installed. In FIG. 2, elements also shown
`in FIG. 1 have the same reference numerals. As shown, the
`system administrator 102 includes a control module 210, a
`packet filter generator 208, a display 206 and a storage
`medium 212. Packet filters 204 have been installed on the
`system administrator, workstations 104 and gateway 106.
`Gateway 106 has two such filters, one on its connection to
`the network and one on its connection to the router 108.
`Routers 108 and 110 each have a programming script table
`which is generated by the security system, but which forms
`no part of the present invention, and will not be described in
`detail. These tables correspond to the tables that are cur-
`rently utilized to program routers, as is well known to those
`skilled in the art.
`
`Packet filters 204 are also installed on the gateway 122 of
`the remote site 120. One packet filter is installed on the
`connection between the satellite 112 and the gateway 122, a
`second packet filter is installed on the connection between
`the Internet and gateway 122 and a third packet filter is
`installed on the connection between the gateway and the
`network.
`
`Information flows on the network in the form of packets,
`as is well known to those skilled in the art. The location of
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`the packet filters in FIG. 2 is chosen so that data flow to or
`from a particular object of the network, such as a worksta-
`tion, router or gateway can be controlled. Thus, workstations
`104 each have a packet filter so that the information flow
`to/from these workstations is separately controlled. At the
`remote site 120, however, the packet filter is placed on the
`connection between the gateway 122 and the network, thus
`there is no individual control over the data flow to/from the
`workstations 124.
`If such individualized control were
`required, packet filters could be placed on each of the
`workstations 124, as well. Each of the packet filters is
`installed at the time that the network is set up or the security
`system is installed, although additional packet filters can be
`installed at a later date. The packet filters are installed on the
`host device .such as the workstation or gateway at which
`protection is desired.
`
`Each of the packet filters operates on a set of instructions
`which has been generated by the packet filter generator 208
`in the system administrator 102. These instructions enable
`complex operations to be performed on the packet, rather
`than merely checking the content of the packet against a
`table containing the parameters for acceptance or rejection
`of the packet. Thus, each packet filter can handle changes in
`security rules with great flexibility as well as handle multiple
`security rules without changing the structure of the packet
`filter itself.
`
`The system administrator enters the security rules via a
`graphical user interface (GUI) which is displayed upon the
`monitor 206 and explained in more detail with respect to
`FIG. 3. This information is processed by the packet filter
`generator 208 and the resulting code is transmitted to the
`appropriate packet filter or filters in the network to perform
`the function that is desired. Control module 210 enables the
`system administrator to keep track of the operations of the
`network and storage 212 can be utilized to keep logs of
`operations on the network and attempts of illegal entry into
`the network. The system operator can thereby be provided
`with full reports as to the operation of the network and the
`success or failure of the security rules. This enables the
`security administrator to make those changes that are appro-
`priate in order to maintain the security of the network
`without limiting its connectivity.
`FIG. 3 shows the computer screen 206 in FIG. 2 in more
`detail. The screen is broken into four windows, two smaller
`windows at the left side and two larger windows at the right
`side. Network objects and services are two aspects of the
`network which must be defined in the security method of the
`present invention. Window 304 is used to define network
`objects such as the workstations, gateways and other com-
`puter hardware connected to the system. It is also possible
`to group various devices together such as, for example, the
`finance department, the research and development depart-
`ment, the directors of the company. It is thus possible to
`control data flow not only to individual computers on the
`network, but also to groups of computers on the network by
`the appropriate placement of packet filters. This allows the
`system operator have a great deal of flexibility in the
`managing of communications on the network. It is possible
`for example to have the chief financial officer as well as
`other higher ranking oflicials of the company such as the
`CEO and the directors able to communicate directly with the
`finance group, but filter out communications from other
`groups. It is also possible to allow electronic mail from all
`groups but
`to limit other requests for information to a
`specified set of computers. This allows the system operator
`to provide internal as well as external security for the
`network. The object definition would include the address of
`
`Google Ex. 1110, pg. 21
`
`Google Ex. 1110, pg. 21
`
`

`
`5
`
`6
`
`5,606,668
`
`the object on the network, as well as a name or group
`whether the object is internal or external to the network,
`whether or not a packet filter has been installed on this object
`and a graphical symbol. The graphical symbol is used in
`connection with the rule base manager 302.
`Similarly, network services are defined in block 306 on
`the screen. These network services can include login, route,
`syslog and telnet, for example. Each service is defined by
`generic and specific properties. The generic properties
`include the code string that
`identifies the service, for
`example “dport” (destination port) which is equal to 23 for
`telnet. The code string that identifies the incoming and
`outgoing packets are identified. Specific properties include
`the name of the service, the port used to provide the service,
`the timeout in seconds of how long a connectionless session
`may stay inactive, that is, having no packet transmitted in
`either direction before assuming that the session is com-
`pleted. Other elements of a service definition might include
`the program number for RPC services and the outbound
`connections for accepted services that use connectionless
`protocols such UDP. The graphic symbol and its color are
`specified.
`Block 302 is the rule base manager which allows the new
`security rule to be entered into the system in a graphical
`manner, thus freeing the system administrator from having
`to write code to implement a particular security rule or to
`change a security rule. Only four elements are required to
`enter the new security rule into the system. The first element
`is the source of the data packet and the third element is the
`destination of the packet. The second element is the type of
`service that is involved and the fourth element is the action
`that should be taken. The action that can be taken includes
`accept the packet in which case the packet is passed from the
`source to the destination or reject the packet in which case
`the source is not passed from the source to the destination.
`If the packet is rejected, no action can be taken or a negative
`acknowledgement can be sent indicating that the packet was
`not passed to the destination. In addition, a further element
`which can be specified is the installation location for the rule
`which specifies on which objects the rule will be enforced
`(see FIG. 2). If an installation location is not specified, the
`system places the packet filter module on the communica-
`tion destination by default. These objects are not necessarily
`the destination. For example, a communication from the
`Internet and destined for a local host must necessarily pass
`through a gateway. Therefore, it is possible to enforce the
`rule on the gateway, even though the gateway is neither the
`source nor the destination. By entering the data with acro-
`nyms or graphic symbols, each rule can quickly be entered
`and verified without the need for writing, compiling and
`checking new code for this purpose. Thus,
`the system
`administrator need not be an expert in programming a
`computer for security purposes. As long as the service is one
`of the services already entered into the system, the computer
`serving as the host for the system administrator function will
`process the information into a set of instructions for the
`appropriate packet filter, as described in greater detail below.
`Block 308 is a system snapshot which summarizes the
`setup and operations of the security system. It is not required
`to practice the present
`invention. The system snapshot
`displays a summary of the system using graphical symbols.
`The summary can include, for example, the host icon, host
`name, rule base name, which is the name of the file con-
`taining the rule base, and the date the rule base was installed
`on the host. It can also show the status of the host indicating
`whether or not there have been communications with the
`host as well as the number of packets inspected by, dropped
`and logged by the host.
`
`10
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`65
`
`FIG. 4 shows a flow chart of the subsystem for converting
`the information on the GUI to a filter script which contains
`the rules utilized for the packet filter. In the preferred
`embodiment,
`the output of the filter script generator is
`compiled into object code which is then implemented by the
`packet filter module, as described below.
`The subsystem 400 starts at 402, proceeds to block 404
`which is obtains the first rule from the GUI. The first rule is
`the first line on the screen in which a new security rule has
`been identified, as shown in FIG. 3. Control then proceeds
`to block 406 in which code is generated to match the rule
`source network objects. That is, the source of the packet is
`entered into the source code block as representing one of
`objects of the system from which the data packet will
`emanate. Control then passes to block 408 in which code is
`generated in the destination code block to indicate which
`object of the network the data packet is destined for. Control
`then passes to block 410 in which code is generated to match
`the rule services that were chosen. The mle services have
`been defined previously and are stored within the system or,
`if not defined, will be defined at the time the security rule
`regulating the service is entered into the system. Control
`then passes to block 412 in which code is generated to accept
`or reject the packet if the data blocks 406, 408 and 410 were
`matched, that is, the results of the checks were true. The
`action to accept or reject is based upon the action chosen in
`the security rule. Control then passes to'the decision block
`414 which determines whether or not more rules are to be
`entered into the system. If no more rules are to be entered
`into the system, the subsystem terminates at block 418. If
`more rules are to be entered into the system, control passes
`to block 416 which obtains the next rule and passes control
`back to block 406 at which time the process repeats and the
`next security rule, found on the next
`line the GUI is
`processed.
`Communication protocols are layered, which is also
`referred as a protocol stack. The ISO (International Stan-
`dardization Organization) has defined a general model
`which provides a framework for design of communication
`protocol layers. This model serves as a basic reference for
`understanding the functionality of existing communication
`protocols.
`
`ISO MODEL
`
`Layer
`Functionality
`Example
`
`
`7
`6
`5
`4
`3
`2
`
`Application
`Presentation
`Session
`Transport
`Network
`Data Link
`(Hardware Interface)
`Ethernet, Token Ring, Tl
`Physical
`1
`(Hardware Connection)
`
`Telnet, NFS, Novell NCP
`XDR
`RPC
`TCP, Novel SPX
`IE Novell IPX
`Network Interface Card
`
`Dilferent communication protocols employ diflerent lev-
`els of the ISO model. A protocol in a certain layer may not
`be aware to protocols employed at other layers. This is an
`important
`factor when making security actions. For
`example, an application (Level 7) may not be able to identify
`the source computer for a communication attempt (Levels
`2-3), and therefore, may not be able to provide sufficient
`security.
`
`FIG. 5 shows how a filter packet module of the present
`invention is utilized within the ISO model. The communi-
`cation layers of the ISO model are shown at 502 at the left
`
`Google Ex. 1110, pg. 22
`
`Google Ex. 1110, pg. 22
`
`

`
`5,606,668
`
`7
`
`hand portion of FIG. 5. Level 1, block 504, is the hardware
`connection of the network which may be the wire used to
`connect the various objects of the network. The second level,
`block 506 in FIG. 5 is the network interface hardware which
`is located in each computer on the network. The packet filter
`module of the present invention intercedes between this
`level and level 3 which is the network software. Briefly, for
`the sake of completeness, the other levels of the ISO model
`are level 4, block 510 which relates to the delivery of data
`from one segment to the next, level 5, block 512, synchro-
`nizes the opening and closing of a “session” on the network.
`Level 6, block 514 relates to the changing of data between
`various computers on the network, and level 7, block 516 is
`the application program.
`A packet entering the computer on which the packet filter
`module resides passes through layers 1 and 2 and then is
`diverted to the packet filter 520, shown on the right hand
`portion of FIG. 5. The packet is received in block 522. In
`block 524, the packet is compared with the security rule and
`a determination is made as to whether or not the packet
`matches the rule. If the packet matches the rule, it may be
`logged on the system administrator’s log and, if an illegal
`attempt has been made to enter the system, an alert may be
`issued. Control then passes to block 534 in which a decision
`is made whether or not to pass the packet based upon the
`requirements of the